SSL handshake attack mitigation

Sergey Kandaurov pluknet at
Thu Nov 7 12:11:14 UTC 2019

> On 6 Nov 2019, at 22:41, mogwai <nginx-forum at> wrote:
> My first question is regarding the particular error log messages produced
> during the attack - see example below:
> [info] 8050#8050: *146 SSL_do_handshake() failed (SSL: error:14094416:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number
> 46) while SSL handshaking, client: XXX.XXX.XXX.XXX, server:
> The "certificate unknown" seems to suggest that nginx is trying to verify
> the certificate of the client, yet "ssl_verify_client" should be off by
> default, so why does nginx care about that certificate?

That's opposite: nginx received a certificate_unknown alert message
from a client for some reason while in handshake.

Sergey Kandaurov

More information about the nginx mailing list